Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-37671

[release4.16] Ingress controller related certificates' validate dates gathering

XMLWordPrintable

    • No
    • CCXDEV Sprint 121
    • 1
    • False
    • Hide

      None

      Show
      None
    • The Insights Operator now collects information about all Ingress Controller certificates (NotBefore and NotAfter dates). It aggregates it into a JSON file in the path 'aggregated/ingress_controllers_certs.json'.
    • Enhancement
    • In Progress

      This is a clone of issue OCPBUGS-35727. The following is the description of the original issue:

      Business required:

      We had a recommendation to check the certificate of the default ingress controller expiration after it has expired. From the referenced KCS, it seems that many customers(hundreds) hit this issue. So, oarribas@redhat.com suggests that if we can have a recommendation to alert customers before certificate expiration. 

      Gathering method:

      1. Gather all the ingresscontroller objects(we already gathered the default ingresscontroller) with commands: 
      oc get ingresscontrollers -n openshift-ingress-operator
      2. Gather operator auto-generated certificate's validate dates with commands:

      $ oc get ingresscontrollers -n openshift-ingress-operator -o yaml | grep -A1 defaultCertificate
      #### empty output here when certificate created by the operator
      $ oc get secret router-ca -n openshift-ingress-operator -o yaml | grep crt | awk '{print $2}' | base64 -d | openssl x509 -noout -dates
      notBefore=Dec 28 00:00:00 2022 GMT
      notAfter=Jan 22 23:59:59 2024 GMT
      
      $ oc get secret router-certs-default -n openshift-ingress -o yaml | grep crt | awk '{print $2}' | base64 -d | openssl x509 -noout -dates
      notBefore=Dec 28 00:00:00 2022 GMT
      notAfter=Jan 22 23:59:59 2024 GMT
      

      3. Gather custom certificates' validate dates with commands:

      $ oc get ingresscontrollers -n openshift-ingress-operator -o yaml | grep -A1 defaultCertificate
          defaultCertificate:
            name: [custom-cert-secret-1]
      
      #### for each [custom-cert-secret] above
      $ oc get secret [custom-cert-secret-1] -n openshift-ingress -o yaml | grep crt | awk '{print $2}' | base64 -d | openssl x509 -noout -dates
      notBefore=Dec 28 00:00:00 2022 GMT
      notAfter=Jan 22 23:59:59 2024 GMT
       

      Other Information:

      An RFE to create a cluster alert is under reveiwing: https://issues.redhat.com/browse/RFE-4269

            rh-ee-ijimeno Isaac Jimeno
            openshift-crt-jira-prow OpenShift Prow Bot
            baiyang zhou baiyang zhou
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: